Android Flaw Leaves 99% of Devices Vulnerable to Hackers

According to San Francisco mobile security firm Bluebox, a security flaw in Android allows hackers to gain access to any app and modify it into a Trojan program for collecting personal data or taking control of the system. The flaw has existed since Android 1.6, which means that almost all Android devices released in the past four years are vulnerable.

As there are discrepancies in how Android apps are cryptographically verified, hackers can modify application packages (APKs) without breaking their cryptographic signatures. What does all these mean?

Well, all Android apps are signed with a cryptographic key. App developers have their respective signing keys to issue updates. This also applies to the system apps, which are referring to the ones that are preloaded on the devices from the Android vendor (e.g. HTC and Samsung), and generally have complete administrator access to everything on the devices.

Bluebox found out that it is easy for hackers to grab a system app from a device, modify it for malicious purposes and pack the app back together while keeping the same, valid signing key. In other words, Android users will unknowingly update these apps on their devices. Once installed, these apps will have complete access to the entire system and carry out the malicious things that they are designed for.

CIO - "You can update system components if the update has the same signature as the platform," Forristal said. The malicious code would then gain access to everything -- all applications, data, accounts, passwords and networks. It would basically control the whole device, he said.

There are several ways for hackers to distribute these Trojan apps, which include emails, uploading to a third-party app store (e.g. Amazon), hosting them on any website or forum, and copying them to the targeted devices via USB.

Although Bluebox informed the entire Open Handset Alliance in February, it seems that little has been done to rectify the problem. Google has updated its Play Store's application entry process to block any tampered apps from being uploaded to its servers. Google is also working on security patches for its Nexus devices. Samsung only fixed the problem for its Galaxy S4, but not the rest of its mobile devices.